Strengthening risk management across the general insurance industry is a key strategic focus area for APRA, and critical to maintaining financial system resilience.
The experience of COVID-19, particularly the issues surrounding Business Interruption (BI) insurance, has raised concerns about the level of robustness applied to the management of insurance risk by some insurers. The financial and reputational impact on the general insurance industry and the uncertainty created in the community over pandemic coverage under BI policies has been significant.
APRA is therefore requiring certain insurers to conduct a risk management self-assessment exercise, aimed at significantly reducing the likelihood of such a problem recurring in the future. The review also focuses on cyber risk, however APRA expects insurers to ensure their risk frameworks are robust across all product areas and potential exposures. Insurer "ABC" has been selected to participate in this exercise, explained below.
There are three parts to the self-assessment:
Part A – ABC is asked to review the robustness of certain elements of its insurance risk management framework, assess whether these were effective in the context of BI, and identify areas for improvement.
Part B – ABC is then required to assess the extent to which the insurance risk management framework, including any improvements determined in Part A, would be effective in mitigating similar issues emerging within other product lines to those experienced with BI.
In this assessment, insurers are to focus on:
(a) silent cyber exposure across their product lines; and
(b) cyber products (where written).
Part C – To provide an appropriate level of assurance on the self-assessment, ABC’s internal audit function is to review and attest as to the adequacy and robustness of the process undertaken to arrive at the findings of the assessment.
In addition, the board is to endorse the self-assessment and provide information as to the basis of this endorsement and how it assured itself that the exercise was comprehensive and performed to a high degree of probity and accountability.
This letter includes instructions in the Attachment that outline the specific areas of the insurance risk management framework APRA requires ABC to address.
Timing and next steps
The self-assessment is to be completed and submitted to APRA by 30 November 2021. Once received, APRA will analyse and benchmark the results. Specific entity feedback will be provided in early 2022 and APRA will determine follow-up supervisory activities as appropriate.
The consolidated results will be released publicly, focusing on learnings and better practice. Please note, individual entity submissions will not be released publicly.
ATTACHMENT A: IRM self-assessment instructions
This review comprises three parts, all of which need to be completed and submitted to APRA by 30 November 2021.
Using the elements outlined below, the insurer is to review their effectiveness in the context of the issues experienced with Business Interruption (BI) since the COVID-19 outbreak. Specifically:
a) Describe/summarise how the risk control/element operates;
b) Assess the effectiveness of the risk control/element in identifying or mitigating the BI issues; and
c) Identify any areas for improvement in the risk control elements and the plan/timeframe for how these improvements will be, or have been, enacted.
Insurance risk elements to be addressed
1. Product life cycle management
Assess the risk controls of the product life cycle management process giving due consideration to:
a) the product development process for issuing new or materially altered products;
b) the process for changing product wordings, terms and conditions after launch;
c) the stakeholders involved in the product development process including brokers and underwriting agents;
d) the extent to which all insurable risks are considered in the pricing of a product;
e) how legal risk is managed within the product development process and in altering products post-launch;
f) how products are evaluated against issues such as emerging risks, changes to legislation, changes to risk environments, new distribution channels and underwriting staff skill and experience;
g) reviews (and their findings) undertaken at the portfolio / product level, including any reviews undertaken to provide assurance that product development is in accordance with policies and procedures;
h) the qualifications and experience of accountable product and underwriting executives, and the assessment of issued underwriting authorities;
i) how claims information feeds back to product reviews, product enhancements and future underwriting decisions; and
j) enhancements that have been made to the product development process and in other points in the product lifecycle in the last 12 months and/or what enhancements have been identified and planned to be implemented in the next 24 months.
Consider the effectiveness of the controls to address risks associated with placement of reinsurance/retrocession and alignment of this cover with assumed insurance/reinsurance risk. Reinsurance treaties protecting a property portfolio, for example, will have a set of exclusions that cover all policies issued that could have many versions of the same exclusion. Consideration should include but not be limited to:
a) evaluation of the role of the reinsurance function in product life cycle controls;
b) any reviews undertaken to ensure that insurance coverage, limits and accumulations issued are in accordance with reinsurance treaties / contracts in place;
c) reviews undertaken (and their findings) which cover new products as well as when reinsurers vary coverage at renewal;
d) an assessment of the feedback loop between underwriters and those responsible for reinsurance placement; and
e) how conflicts between the use of broker wordings or underwriting agency wordings and the company’s own wordings are managed.
3. Underwriting and distribution
Consider the effectiveness of controls to address risks associated with underwriting and distribution of products, including but not limited to:
a) management of the risks pertaining to products with multiple different policy wordings;
b) the controls in place to address risks associated with (i) insurer-controlled risks with insurer wordings; (ii) insurer-controlled risks with broker wordings; and (iii) delegated underwriting authorities (including insurer, underwriting agent, and broker wordings);
c) assessing the controls of policy extensions and endorsements, including the monitoring of accumulation exposures from these extensions and endorsements; and
d) how senior management and the board get comfort that broker or other intermediary wordings align with intended insurable risks as per the board’s risk appetite.
Consider the effectiveness of the assurance process that supports the insurance risk management framework, including but not limited to the following elements:
a) external and internal audit;
b) reviews undertaken of the framework by the first and/or second line of defence not already included in the sections above; and
c) a summary of any relevant audit reviews conducted over the past three years, as well as highlighting where audit is due to undertake any reviews this audit year. The response should include key findings and any subsequent management actions.
Consider the effectiveness of the governance framework in supporting appropriate oversight of the insurance risk management elements outlined in 1-3 above, including but not limited to:
a) existing committees, including board sub-committees;
b) clarity concerning individual accountabilities;
c) the use of Risk and Control Self Assessments;
d) degree of representation of 1st and 2nd line in committees; and
e) the degree of challenge of senior management by the board.
The insurer is to assess the extent to which the insurance risk management framework, including any improvements determined in Part A, would be effective in mitigating similar issues emerging within other product lines to those experienced with BI with a focus on:
1. Silent cyber
‘Silent cyber’ cover can occur in many insurance products, including both personal lines and commercial lines, where there is no specific inclusion (affirmative) or exclusion of cyber risks in the policy wording. The ‘silence’ in coverage may result in cyber losses (similar to what has been seen in business interruption coverage where insurers lacked clarity in the policy wordings).
In this section, ABC is to focus on the risks posed by silent cyber exposures across its product lines; this should include commentary on how this risk has been assessed, quantified, managed and/or mitigated, including how ABC arrived at any conclusion there was no exposure if that is the case.
2. Affirmative cyber
If ABC writes an affirmative cyber (or similar) product or product extension, the framework from Part A should be assessed in the context of this product or extension.
Where ABC writes no affirmative cyber product or extension, alternative product(s) may be proposed for assessment, having regard to heightened insurance risk factors such as, but without limitation to, new products, new wordings, emerging exposures, high per risk or accumulated exposure limits, broker wordings and delegated underwriting authorities.
ABC’s internal audit function is to review and attest as to the adequacy and robustness of the process undertaken to arrive at the findings outlined in Part A and Part B of the assessment. In the event the insurer wishes to use a different mechanism for this assurance, this needs to be agreed with APRA.
In addition, the board is to endorse the self-assessment and provide information as to the basis of this endorsement and how it has assured itself that the exercise was comprehensive and performed to a high degree of probity and accountability.
APRA’s expectation is that the self-assessment exercise is undertaken in a comprehensive manner with appropriate depth and probity. The self-assessment submission to APRA should be no more than 20 pages in length and should:
- outline that the scope defined in these instructions has been covered;
- clearly identify any areas of weakness;
- articulate the insights gained from the root cause analysis of these weaknesses; and
- include a plan (including timeframes and accountabilities) for improvements to be enacted.
The submission should not contain policies and procedures to supplement the submission. Working papers, policies and procedures however, may be in scope for any subsequent targeted insurance risk reviews of insurers following APRA’s review of the self-assessment submissions.